********************************************************
NOTICE
********************************************************
This document was converted from Microsoft Word.
Content from the original version of the document such as
headers, footers, footnotes, endnotes, graphics, and page numbers
will not show up in this text version.
All text attributes such as bold, italic, underlining, etc. from the
original document will not show up in this text version.
Features of the original document layout such as
columns, tables, line and letter spacing, pagination, and margins
will not be preserved in the text version.
If you need the complete document, download the
Microsoft Word or Adobe Acrobat version.
*****************************************************************

Before the

Federal Communications Commission

Washington, DC 20554

In the Matter of

TerraCom, Inc., and YourTel America, Inc.

)

)

)

)

)

)

)

File Nos.: EB-TCD-13-00009175, EB-IHD-13-00010677

Acct. No.: 201432170015

FRN: 0010103745 and 0008410409

ORDER

Adopted: July 9, 2015 Released: July 9, 2015

By the Chief, Enforcement Bureau:

* The Enforcement Bureau (Bureau) of the Federal Communications Commission has entered into a Consent Decree resolving its investigation into whether TerraCom, Inc. (TerraCom), and YourTel America, Inc. (YourTel) (collectively, the Companies) failed to protect the confidentiality of proprietary information that they received from customers applying to demonstrate eligibility for their low-income Lifeline phone services, including sensitive personal information such as names, addresses, dates of birth, full or partial Social Security numbers, and driver's licenses. The Companies' vendor stored the proprietary information of more than 300,000 customers in clear, readable text on servers that were accessible over the Internet, and the data was not password protected or encrypted. The Companies' failure to provide reasonable protection resulted in a data breach which exposed their customer's personal information to unauthorized individuals. After learning that a news reporter had discovered the breach and was preparing to publish an article, TerraCom and YourTel notified the Bureau of the breach.

* The failure to reasonably secure customers' proprietary information violates a carrier's duty under the Communications Act and also constitutes an unjust and unreasonable practice in violation of the Act. These duties ensure that consumers can trust that carriers have taken appropriate steps to prevent unauthorized persons from accessing, viewing or misusing their personal information. The Commission has made clear that it expects telecommunications carriers such as TerraCom and YourTel to take "every reasonable precaution" to protect their customers' data, and that it is committed to protecting the personal information of American consumers from misappropriation, breach, and unlawful disclosure.

* The Consent Decree also resolves the Bureau's investigation into whether YourTel violated the Commission's rules by failing to timely de-enroll ineligible subscribers from its Lifeline service after the Universal Service Administrative Company instructed it to do so. The Commission's rules and orders governing Lifeline specify that eligible telecommunications carriers are permitted to receive universal service support reimbursement only for each qualifying low-income consumer they serve. Eligibility and de-enrollment rules ensure that universal service support is not directed towards consumers who may be ineligible for Lifeline, thereby protecting the integrity of this important Universal Service Fund program.

* To settle this matter, TerraCom and YourTel will pay a civil penalty of $3,500,000, for which they are jointly and severally liable, and will develop and implement a compliance plan to ensure appropriate procedures are incorporated into the Companies' business practices to protect consumers against similar data breaches in the future. In particular, TerraCom and YourTel will be required to improve their privacy and data security practices by: (i) designating a senior corporate manager who is a certified privacy professional; (ii) conducting a privacy risk assessment; (iii) implementing a written information security program; (iv) maintaining reasonable oversight of third party vendors; (v) implementing a data breach response plan; and (vi) providing privacy and security awareness training to employees. Additionally, YourTel will be required to implement a compliance plan to improve its compliance with the Lifeline eligibility and de-enrollment rules. TerraCom and YourTel will also file regular compliance reports with the FCC.

* After reviewing the terms of the Consent Decree and evaluating the facts before us, we find that the public interest would be served by adopting the Consent Decree and terminating the referenced investigation regarding TerraCom's and YourTel's compliance with 201(b) and 222(a) of the Communications Act of 1934, as amended (Act), as well as the referenced investigation regarding whether YourTel violated Sections 54.405, 54.407, and 54.409 of the Commission's rules and its orders governing the provision of Lifeline service to low-income consumers.

* In the absence of material new evidence relating to this matter, we do not set for hearing the question of TerraCom's or YourTel's basic qualifications to hold or obtain any Commission license or authorization.

* Accordingly, IT IS ORDERED that, pursuant to Sections 4(i) and 503(b) of the Act and the authority delegated by Sections 0.111 and 0.311 of the Rules, the attached Consent Decree IS ADOPTED and its terms incorporated by reference.

* IT IS FURTHER ORDERED that the above-captioned investigations ARE TERMINATED.

The Enforcement Bureau of the Federal Communications Commission, TerraCom, Inc. (TerraCom), and YourTel America, Inc. (YourTel), by their authorized representatives, hereby enter into this Consent Decree for the purpose of terminating the Enforcement Bureau's investigation into whether TerraCom and YourTel violated Sections 201(b) and 222(a) of the Communications Act of 1934, as amended, and whether YourTel violated Sections 54.405, 54.407, and 54.409 of the Commission's rules and its orders governing the provision of Lifeline service to low-income customers.

DEFINITIONS

For the purposes of this Consent Decree, the following definitions shall apply:

* "Act" means the Communications Act of 1934, as amended.

* "Adopting Order" means an order of the Bureau adopting the terms of this Consent Decree without change, addition, deletion, or modification.

* "Affected Customer" means any Customer whose PI was potentially accessible to unauthorized third parties in connection with the data breach that was the subject of the Investigation.

* "Affiliate" shall have the same meaning defined in Section 153(2) of the Communications Act, 47 U.S.C. § 153(2).

* "Commission" and "FCC" mean the Federal Communications Commission and all of its bureaus and offices.

* "Communications Laws" means, collectively, the Act, the Rules, and the published and promulgated orders and decisions of the Commission to which TerraCom and YourTel are subject by virtue of their business activities.

* "Compliance Plan for Sections 201(b) and 222(a) of the Act" means the compliance obligations, programs, and procedures described in this Consent Decree at paragraph 22.

* "Compliance Plan for Lifeline Eligibility and De-Enrollment Rules" means the compliance obligations, programs, and procedures described in this Consent Decree at paragraph 23.

* "Compliance Plans" as used in this Consent Decree means the Compliance Plan for Sections 201(b) and 222(a) of the Act and the Compliance Plan for Lifeline Eligibility and De-Enrollment Rules.

* "Compliance Training Program for Sections 201(b) and 222(a) of the Act" means the workforce training program described in this Consent Decree at paragraph 22(j).

* "Compliance Training Program for Lifeline Eligibility and De-Enrollment Rules" means the workforce training program described in this Consent Decree at paragraph 23(c).

* "Covered Employees" means all employees of each of TerraCom and YourTel who perform, supervise, oversee, or manage the performance of, duties that relate to TerraCom's or YourTel's responsibilities under the Communications Laws, including, with respect to the Compliance Plans described herein, Sections 201(b) and 222(a) of the Act and the Lifeline Eligibility and De-Enrollment Rules, respectively.

* "Covered Third Party" means any Person that performs services involving the collection, transmission, retrieval, processing, or storage of PI, or any duties that relate to the Lifeline Eligibility and De-Enrollment Rules, pursuant to a contractual relationship or agreement with TerraCom, YourTel, or any Person that they own or control.

* "Covered Third Party Employees" means all employees of any Covered Third Party who perform, supervise, oversee, or manage the performance of, duties that relate to TerraCom's or YourTel's responsibilities under the Communications Laws, including Sections 201(b) and 222(a) of the Act and the Lifeline Eligibility and De-Enrollment Rules.

* "Customer" means any current or former subscriber of and/or applicant for TerraCom's or YourTel's Lifeline services or any other service subject to the Communications Laws.

* "Effective Date" means the date by which the Bureau and TerraCom and YourTel have signed the Consent Decree.

* "ETC" means an eligible telecommunications carrier designated under, or operating pursuant to, Section 214(e) of the Communications Act, as amended, 47 U.S.C. § 214(e), as eligible to offer and receive support for one or more services that are supported by federal universal service support mechanisms pursuant to Section 254(e) of the Act, 47 U.S.C. § 254(e).

* "Investigation" means the investigation commenced by the Bureau in File No. EB-TCD-13-00009175 regarding whether TerraCom and YourTel violated Sections 201(b) and 222(a) of the Act, and the investigation commenced by the Bureau in File No. EB-IHD-13-00010677 regarding whether YourTel violated the Lifeline Eligibility and De-Enrollment Rules.

* "Operating Procedures" means the standard internal operating procedures and compliance policies established by TerraCom and YourTel to implement the Compliance Plans.

* "Parties" means TerraCom, YourTel, and the Bureau, each of which is a "Party."

* "Person" shall have the same meaning defined in Section 153(39) of the Communications Act, 47 U.S.C. § 153(39).

* "Proprietary Information" or "PI" means all types of Customer information that should not be exposed widely to the public, whether because that information is sensitive for economic reasons or for reasons of personal privacy; including but not limited to such confidential information as privileged information, trade secrets, and personally identifiable information -- information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context. PI includes, but is not limited to, information such as a consumer's (i) first and last name; (ii) home or other physical address; (iii) email address or other online contact information, such as an instant messaging screen name that reveals an individual's email address; (iv) telephone number; (v) Social Security Number, tax identification number, passport number, driver's license number, or any other government-issued identification number that is unique to an individual; (vi) account numbers, credit card numbers, and any information combined that would allow access to the consumer's accounts; (vii) Uniform Resource Locator ("URL") or Internet Protocol ("IP") address or host name that identifies an individual; or (viii) any combination of the above.

* "Rules" means the Commission's regulations found in Title 47 of the Code of Federal Regulations.

Section 222(a) of the Act, entitled "Privacy of Customer Information," imposes a duty on every telecommunications carrier "to protect the confidentiality of proprietary information of, and relating to . . . customers." The Commission has made clear that Section 222(a) requires carriers to "take every reasonable precaution to protect the confidentiality of proprietary or personal customer information" and that it was "committing to taking resolute enforcement action to ensure that the goals of [S]ection 222 are achieved." In the TerraCom/YourTel NAL, the Commission found that, pursuant to Section 222(a), the term "proprietary information" broadly encompasses all types of information that should not be exposed widely to the public, whether because that information is sensitive for economic reasons or for reasons of personal privacy. The Commission found that "proprietary information" broadly encompasses such confidential information as privileged information, trade secrets, and personally identifiable information -- information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context.

Section 201(b) of the Act states, in pertinent part, that "[a]ll charges, practices, classifications, and regulations for and in connection with [interstate or foreign] communication service [by wire or radio], shall be just and reasonable, and any such charge, practice, classification, or regulation that is unjust or unreasonable is declared to be unlawful." The Commission has interpreted Section 201(b) to apply to carriers' practices for protecting PI. Specifically, in the TerraCom/YourTel NAL, the Commission found that Section 201(b) requires companies to employ just and reasonable data security practices to protect consumers' PI against unauthorized access, use, or disclosure.

TerraCom and YourTel are common carriers providing telecommunications services as Eligible Telecommunications Carriers (ETCs) participating in the federal Universal Service Fund (USF or Fund) Lifeline program. TerraCom and YourTel have certain common shareholders, share key management employees, and are joint owners of a third company, BrightStar Global Solutions, LLC, but are separate corporate entities headquartered in Oklahoma and Missouri, respectively.

In connection with evaluating Customers' eligibility for Lifeline services, TerraCom and YourTel collected a variety of sensitive information and documents. Customers were required to submit, among other things, their name, address, date of birth, full or partial social security number, and copies of their driver's license or state ID card. TerraCom and YourTel also collected additional information from Customers, such as one or more of the following: proof of participation in the Supplemental Nutrition Assistance Program; annual statement of government benefits; prior year's state, federal or Tribal tax return; paycheck stubs; Social Security benefit statements; Veterans Administration benefit statements; retirement or pension information; Unemployment or Workers' Compensation benefit statements; Federal or Tribal notice letters of participation in General Assistance; divorce decrees or child support awards; or other official documents establishing the applicant's income level or participation in a relevant program.

Customers submitted their information to TerraCom and YourTel via electronic application forms, and supplemented their applications with scanned images of the supporting documentation described in paragraph 6. TerraCom and YourTel state that they relied on a third-party vendor to securely store this information in a manner that would be accessible only to authorized persons (including representatives of YourTel and TerraCom). TerraCom and YourTel further state that although the third-party vendor implemented various security measures to protect Customers' sensitive information, including using firewalls and encrypting a database containing Customer names, it inadvertently failed to implement password protection for some of the stored data while updating its servers. Accordingly, as described in the TerraCom/YourTel NAL, the PI of more than 300,000 Customers was accessible over the public Internet. Specifically, this information was stored in clear, readable text on servers that were accessible over the Internet, and the data was not password protected or encrypted. Further, in storing the Lifeline Customers' information and documents, certain of the URLs used by the vendor contained the names of the Customers in plain text.

On May 7, 2013, TerraCom and YourTel contacted the Bureau and reported a data breach. On June 17, 2013, the Bureau initiated an investigation into the compromised PI and the associated data breach. On October 24, 2014, the Commission released the TerraCom/YourTel NAL, charging each of TerraCom and YourTel with violating:

* Section 222(a) of the Act by failing to protect the confidentiality of PI that Customers provided to demonstrate eligibility for Lifeline services;

* Section 201(b) of the Act by engaging in unjust and unreasonable practices by failing to employ reasonable data security practices to protect Customers' PI;

* Section 201(b) of the Act by representing in their privacy policies that they protected Customers' PI, when in fact they did not; and

* Section 201(b) of the Act by engaging in unjust and unreasonable practices by failing to notify all Customers whose PI could have been breached by TerraCom's or YourTel's inadequate data security practices.

* Lifeline Eligibility and De-Enrollment Rules

Lifeline is a USF program that helps ensure that qualifying consumers have the opportunities and security that phone service brings, including being able to connect to jobs, family members, and emergency services. ETCs designated pursuant to the Act provide Lifeline service to consumers. Under the Lifeline program rules, ETCs provide discounted service to qualifying consumers and may seek and receive reimbursement from the USF for the revenue they forgo as a result of the discount.

The Commission's Lifeline rules establish explicit requirements that an ETC must meet to receive federal Lifeline support. Section 54.407(a) of the Commission's rules requires that Lifeline support "shall be provided directly to an eligible telecommunications carrier, based on the number of actual qualifying low-income consumers it serves." Pursuant to Section 54.407(b), an ETC may receive Lifeline support only for "each qualifying low-income consumer served." A low-income consumer is "qualifying" only if he or she meets the eligibility criteria set forth in Section 54.409, including the requirement that he or she "must not already be receiving a Lifeline service."

An ETC providing qualifying low-income customers with Lifeline discounts files, on a periodic basis, FCC Form 497 with USAC to request reimbursement for providing service at the discounted rates. An ETC's FCC Form 497 documents the number of qualifying low-income customers served and the total amount of Lifeline support claimed by the ETC during the specified time period. Section 54.407(d) provides that an ETC may receive reimbursement from the Fund only if it certifies as part of its reimbursement request that it is in compliance with the Lifeline rules. An ETC may revise its Form 497 data within 12 months after the data are submitted.

If USAC determines that an ETC is providing Lifeline-discounted service to a subscriber who is also receiving service from another ETC, USAC notifies the subscriber in writing, giving him or her an opportunity to select a single Lifeline service provider; if the subscriber does not make a selection, USAC designates a single ETC to serve as the subscriber's default Lifeline carrier. USAC then notifies the other ETC(s) in writing and directs them to de-enroll subscribers already receiving Lifeline service. USAC includes a spreadsheet with its notification identifying the subscribers each ETC must de-enroll. Pursuant to Section 54.405(e)(2), the ETC must de-enroll the subscriber within five business days of the notification letter.

YourTel provides wireless Lifeline telephone service as an ETC in the following eight states: Illinois, Kansas, Maine, Missouri, Oklahoma, Pennsylvania, Rhode Island, and Washington. YourTel offers wireless service to consumers by using a combination of its own facilities, leased wireline facilities, and the wholesale wireless services of Sprint Spectrum, LLC, and Cellco Partnership d/b/a Verizon Wireless. YourTel also provides wireline Lifeline service in Illinois, Kansas, Missouri, and Oklahoma.

On October 12, 2012, USAC directed YourTel to de-enroll a group of its Lifeline subscribers in Illinois. Subsequently, USAC examined YourTel's Illinois subscriber data for November 2012 and found that YourTel had failed to de-enroll some of those subscribers. USAC referred the matter to the Bureau, which initiated an investigation by issuing a Letter of Inquiry (LOI) to YourTel on July 11, 2013. YourTel responded to the LOI on August 12, 2013. In its response, YourTel admitted that it did not timely de-enroll the subscribers due to a "system error." According to YourTel, the underlying carrier whose service YourTel resold did not convert all of the subscribers to non-Lifeline plans within the requisite time period. USAC confirmed that YourTel subsequently revised its Forms 497 to reimburse the USF for the improperly disbursed funds.

The Parties negotiated the following terms and conditions of settlement and hereby enter into this Consent Decree as provided below.

TERMS OF AGREEMENT

Adopting Order. The provisions of this Consent Decree shall be incorporated by the Bureau in an Adopting Order without change, addition, deletion, or modification.

Jurisdiction. TerraCom and YourTel each agree that the Bureau has jurisdiction over it and the matters contained in this Consent Decree and has the authority to enter into and adopt this Consent Decree.

Effective Date. The Parties agree that this Consent Decree shall become effective on the Effective Date as defined herein. As of the Effective Date, the Parties agree that this Consent Decree shall have the same force and effect as any other order of the Commission.

Termination of Investigation. In express reliance on the covenants and representations in this Consent Decree and to avoid further expenditure of public resources, the Bureau agrees to terminate the Investigation. In consideration for the termination of the Investigation, TerraCom and YourTel each agree to the terms, conditions, and procedures contained herein. The Bureau further agrees that, in the absence of new material evidence, it will not use the facts developed in the Investigation through the Effective Date, or the existence of this Consent Decree, to institute, on its own motion, any new proceeding, formal or informal, or take any action on its own motion against TerraCom or YourTel concerning the matters that were the subject of the Investigation. The Bureau also agrees that, in the absence of new material evidence, it will not use the facts developed in the Investigation through the Effective Date, or the existence of this Consent Decree, to institute on its own motion any proceeding, formal or informal, or to set to hearing the question of TerraCom's or YourTel's basic qualifications to be a Commission licensee or hold Commission licenses or authorizations.

Admissions of Liability. TerraCom and YourTel each admit for the purpose of this Consent Decree and for Commission civil enforcement purposes, and in express reliance on the provisions of paragraph 19 herein, that their actions that were the subject of the Investigation violated Sections 201(b) and 222(a) of the Act. Additionally, YourTel admits for the purpose of this Consent Decree and for Commission civil enforcement purposes, and in express reliance on the provisions of paragraph 19 herein, that its actions that were the subject of the Investigation violated Sections 54.405, 54.407, and 54.409 of the Rules, 47 C.F.R. §§ 54.405, 54.407, and 54.409, and the Commission's Lifeline Reform Order, 27 FCC Rcd 6656, and Lifeline Duplicates Order, 26 FCC Rcd 9022. The Parties agree that this Consent Decree is a compromise settlement and it is their intent that the Consent Decree shall not be used as evidence or precedent in any action, litigation, investigation, or proceeding, except an action to enforce this Consent Decree.

Compliance Officer. Within thirty (30) calendar days after the Effective Date, TerraCom and YourTel each shall designate a senior corporate manager with the requisite corporate and organizational authority to serve as a Compliance Officer and to discharge the duties set forth below. The person designated as the Compliance Officer shall be responsible for developing, implementing, and administering the Compliance Plans, including the Information Security Program (as defined in paragraph 22(b)) required under the Compliance Plans, and ensuring that TerraCom and YourTel comply with the terms and conditions of the Compliance Plans and this Consent Decree. In addition to the general knowledge of the Communications Laws necessary to discharge his or her duties under this Consent Decree, the Compliance Officer shall have specific knowledge of the information security principles and practices necessary to implement the information security requirements of this Consent Decree, and the specific requirements of Sections 222(a) and 201(b) of the Act and the Lifeline Eligibility and De-Enrollment Rules, prior to assuming his/her duties. The Compliance Officer shall promptly and without unreasonable delay become privacy certified by an industry certifying organization and keep current through appropriate continuing privacy education courses.

Compliance Plan for Sections 201(b) and 222(a) of the Act. For purposes of settling the matters set forth herein with respect to Sections 201(b) and 222(a) of the Act, TerraCom and YourTel each agree that it shall, within ninety (90) calendar days after the Effective Date, develop and implement a Compliance Plan designed to ensure future compliance with the Communications Laws, including Sections 201(b) and 222(a) of the Act, and with the terms and conditions of this Consent Decree. Such Compliance Plan must include the following components:

* Risk Assessment. Within thirty (30) calendar days after the Effective Date, TerraCom and YourTel each shall conduct a comprehensive and thorough risk assessment to identify internal and external risks to the security, confidentiality, and integrity of PI collected or maintained by or on behalf of TerraCom and YourTel that could result in unauthorized access, disclosure, misuse, destruction, or compromise of such information (Risk Assessment). The Risk Assessment must evaluate the likelihood and potential impact of these threats and the sufficiency of existing policies, procedures, and other safeguards in place to control risks.

* Information Security Program. Within sixty (60) calendar days after the Effective Date, TerraCom and YourTel each shall develop and implement a reasonable and comprehensive information security program to protect the security, confidentiality, and integrity of PI collected or maintained by or on behalf of TerraCom and YourTel (Information Security Program). TerraCom and YourTel each shall ensure that such Information Security Program is fully documented in writing (including, as appropriate, within the Operating Procedures and Compliance Manual described below) and includes:

* Administrative, technical, and physical safeguards that are reasonable in light of TerraCom's and YourTel's size and complexity, the nature and scope of TerraCom's and YourTel's activities, the sensitivity of the PI collected or maintained by or on behalf of TerraCom and YourTel, and the risks identified through the Risk Assessment;

* Reasonable measures to protect PI collected or maintained by Covered Third Parties, including exercising due diligence in selecting Covered Third Parties, requiring Covered Third Parties by contract to implement and maintain reasonable and comprehensive safeguards for the protection of PI, engaging in the ongoing monitoring of Covered Third Parties' compliance with their security obligations, and implementing measures to sanction Covered Third Parties that fail to comply with their security obligations (including, where appropriate, terminating TerraCom and/or YourTel's relationship with such Covered Third Parties); and

* Policies and procedures to properly identify the nature and extent of PI collected or maintained by or on behalf of TerraCom and YourTel, collect the minimum amount of PI necessary to verify eligibility for the Lifeline program, collect and maintain PI in a manner that is secure, retain PI and Lifeline verification information and documents for no longer than strictly necessary to verify eligibility for the Lifeline program and comply with applicable law, and properly and securely dispose of PI.

* In addition, TerraCom and YourTel each shall:

* Monitor and evaluate their Information Security Programs, on an ongoing (but no less than quarterly) basis, to control the risks identified through the Risk Assessment, to evaluate the effectiveness of the Information Security Program's key controls, systems and procedures, and to ensure compliance with Sections 201(b) and 222(a) of the Act and this Consent Decree;

* Adjust and update their Information Security Programs pursuant to the results of the monitoring and evaluation described above, any material changes to any operations or business arrangements, any relevant changes in technology or to internal or external threats to PI, any changes in Covered Third Parties, or any other circumstances TerraCom or YourTel knows or has reason to know may have a material impact on the effectiveness of the Information Security Program; and

* Engage a qualified, objective, and independent third party auditing firm to review and audit their Information Security Programs using procedures and standards generally accepted in the profession. Such audit shall be completed within ninety (90) calendar days after the Effective Date, and TerraCom and YourTel shall submit copies of the audit reports to the Commission within ten (10) calendar days after their completion.

* Third Party Oversight. Within thirty (30) calendar days after the Effective Date, each of TerraCom and YourTel shall require all existing Covered Third Parties, by contract or amendment to an existing agreement, to protect PI by establishing and maintaining reasonable administrative, technical and physical safeguards that are no less stringent than the requirements to which TerraCom and YourTel are subject to pursuant to this Consent Decree, and shall include such requirements in agreements with future Covered Third Parties. Such agreements shall also include strict restrictions on the Covered Third Parties' further disclosure of PI, requirements for notifications of breaches of Covered Third Party systems that may result in unauthorized use or disclosure of PI, and other reasonable security controls. Each of TerraCom and YourTel shall monitor and verify, on an ongoing (but no less than quarterly) basis, that its Covered Third Parties comply with the terms of this paragraph.

* Incident Response Plan. Within thirty (30) calendar days after the Effective Date, TerraCom and YourTel each shall implement and maintain a reasonable and comprehensive security incident response plan to enable TerraCom and YourTel to detect, respond to, and, where appropriate, provide timely notification, in accordance with applicable law and the requirements of paragraph 24 below, to all Customers (at the Customer's last known address and pursuant to TerraCom's and YourTel's reasonable efforts to locate the Customer) and relevant governmental authorities of data breaches involving PI.

* Representations to Customers. Immediately upon the Effective Date and on an ongoing basis thereafter, TerraCom and YourTel each shall not misrepresent, expressly or by implication, in privacy policies, statements on websites, subscriber agreements, or other communications or representations made to Customers, the extent to which TerraCom and YourTel or their Covered Third Parties protect PI. Each of TerraCom and YourTel shall ensure that privacy policies and statements on each of TerraCom's and YourTel's websites regarding Customer privacy and the security of Customers' PI accurately reflect each of TerraCom's and YourTel's data security and privacy practices, and are updated routinely to reflect any material changes.

* Remediation Measures. Within sixty (60) calendar days after the Effective Date, unless otherwise indicated, TerraCom and YourTel each shall:

* Offer to provide one year of complimentary credit monitoring services to all Affected Customers through a nationally recognized credit monitoring service, the availability of which must be described in the notice discussed below; and

* Identify each Affected Customer and ensure that each Affected Customer has been notified (at the Affected Customer's last known address and pursuant to TerraCom's and YourTel's reasonable efforts to locate the Affected Customer) that his or her PI was compromised. The notification to each Affected Customer must include:

+ A general description of the manner in which the Affected Customer's PI was compromised;

+ A general description for all Affected Customers of the type of PI that was compromised;

+ The toll-free telephone numbers and addresses of the major credit reporting agencies;

+ A toll-free hotline and website where Affected Customers may contact each of TerraCom and YourTel to inquire about their compromised PI, and receive reasonable and comprehensive counseling on responding to and mitigating credit harm incidences, including identity theft; and

To the extent an Affected Customer was previously sent a notice that does not meet the requirements set forth above, TerraCom and YourTel shall provide such Affected Customer with an updated notice that satisfies the above requirements.

* Notice of Consent Decree. Within thirty (30) calendar days after the Effective Date, TerraCom and YourTel each shall deliver a copy of this Consent Decree to all existing Covered Employees, and shall also deliver a copy of this Consent Decree to all future Covered Employees within thirty (30) calendar days after the person assumes such position or responsibilities.

* Operating Procedures. Within sixty (60) calendar days after the Effective Date, TerraCom and YourTel each shall establish Operating Procedures that all Covered Employees must follow to help ensure each of TerraCom's and YourTel's compliance with this Consent Decree, including the policies and procedures adopted pursuant to subparts (a)-(f) of this paragraph, and Sections 201(b) and 222(a) of the Act. Each of TerraCom and YourTel shall also develop a compliance checklist that describes the steps that a Covered Employee must follow to ensure compliance with this Consent Decree, and Sections 201(b) and 222(a) of the Act.

* Compliance Manual. Within sixty (60) calendar days after the Effective Date, TerraCom and YourTel each shall develop, use, and maintain a Compliance Manual (which may be in hard copy and/or electronic format), and distribute the same to all Covered Employees and Covered Third Parties. For any person who becomes a Covered Employee or Covered Third Party more than sixty (60) calendar days after the Effective Date, TerraCom and YourTel shall distribute the Compliance Manual to that person within thirty (30) calendar days after the date such person becomes a Covered Employee or Covered Third Party, and prior to such person engaging with Customers with respect to TerraCom's or YourTel's services. Within the same period, TerraCom and YourTel shall further direct all Covered Third Parties to disseminate a copy of the Compliance Manual to each Covered Third Party Employee.

o The Compliance Manual shall set forth and explain the requirements of Sections 201(b) and 222(a) of the Act and this Consent Decree, and shall instruct Covered Employees and Covered Third Party Employees to consult and follow the Operating Procedures to ensure TerraCom's and YourTel's compliance with the Communications Laws and this Consent Decree, including the policies and procedures adopted pursuant to subparts (a)-(f) of this paragraph.

o The Compliance Manual shall require Covered Employees and Covered Third Party Employees to contact their supervisor or the Compliance Officer with any questions or concerns that arise with respect to TerraCom's or YourTel's obligations under or compliance with the Communications Laws and this Consent Decree, and require any supervisor who receives such information from a Covered Employee or Covered Third Party Employee to promptly notify the Compliance Officer. Each of TerraCom and YourTel shall provide, and shall direct Covered Third Parties to provide, a hotline or other appropriate mechanism for anonymous reporting of any noncompliance.

o TerraCom and YourTel each shall periodically review and revise the Compliance Manual to ensure that the information set forth therein remains current and complete.

o TerraCom and YourTel shall (individually or collectively) distribute any revisions of the Compliance Manual to all Covered Employees and Covered Third Parties within thirty (30) calendar days after any revisions have been made by TerraCom or YourTel. These revisions may be in electronic format.

* Compliance Training Program for Sections 201(b) and 222(a) of the Act. Within sixty (60) calendar days after the Effective Date, TerraCom and YourTel each shall establish, implement, and maintain a compliance training program to ensure compliance with Sections 201(b) and 222(a) of the Act and this Consent Decree:

* The Compliance Training Program shall include reasonable and comprehensive privacy and security awareness training for all Covered Employees, Covered Third Parties, and Covered Third Party Employees. The program shall include instruction on TerraCom's and YourTel's obligations, policies, and procedures for protecting PI pursuant to Section 201(b), 222(a), and this Consent Decree, including identifying and collecting PI from Customers, recognizing security threats and suspicious activity that may indicate that PI has been compromised, the timely reporting of data breaches, and other reasonable and appropriate training regarding the protection of PI. Each of TerraCom and YourTel shall cause all Covered Employees whose job functions relate to the implementation of the remediation measures described in paragraph 22(f) to receive training regarding such remediation measures, as described below. In addition, each of TerraCom and YourTel shall direct all Covered Third Parties to ensure that their Covered Third Party Employees receive training in accordance with the Compliance Training Program. For purposes of complying with the provisions of this paragraph, TerraCom and YourTel are permitted to themselves provide the training or use a third party to provide the training described herein;

* As part of the Compliance Training Program, TerraCom and YourTel shall ensure that each Covered Employee is advised of TerraCom's and YourTel's obligations to report any noncompliance with Sections 201(b) and 222(a) of the Act and this Consent Decree, and is instructed on how to disclose noncompliance to the Compliance Officer, including instructions on how to anonymously report such noncompliance. TerraCom and YourTel shall further direct all Covered Third Parties to disseminate the same instructions to each Covered Third Party Employee.

* TerraCom and YourTel shall ensure that the training for Covered Employees is conducted pursuant to the Compliance Training Program within sixty (60) calendar days after the Effective Date, except that any person who becomes a Covered Employee at any time after the initial Compliance Training Program shall be trained within thirty (30) calendar days after the date such person becomes a Covered Employee. Each of TerraCom and YourTel shall document their Covered Employees' completion of the training. TerraCom and YourTel shall further direct and contractually require that all Covered Third Parties conduct the same type of training for each of their Covered Third Party Employees within the same period, and that completion of training is documented.

* Within sixty (60) calendar days after the Effective Date, neither TerraCom nor YourTel shall allow any Covered Employee to interact with any Customer about TerraCom's or YourTel's service until the Covered Employee has been trained and has received a copy of the Compliance Manual. Beginning within ninety (90) calendar days after the Effective date, TerraCom and YourTel shall further direct all Covered Third Parties to ensure that their Covered Third Party Employees shall not interact with any Customer about TerraCom's or YourTel's service until their Covered Third Party Employees have been trained and have received copies of the Compliance Manual; and

* TerraCom and YourTel shall ensure that the Compliance Training Program is conducted at least annually and shall periodically review and revise the Compliance Training Program as necessary to ensure that it remains current and complete and to enhance its effectiveness.

Compliance Plan for Lifeline Eligibility and De-Enrollment Rules. For purposes of settling the matters set forth herein with respect to the Lifeline Eligibility and De-Enrollment Rules, YourTel agrees that it shall, within sixty (60) calendar days after the Effective Date, develop and implement a Compliance Plan designed to ensure future compliance with the Communications Laws, including the Lifeline Eligibility and De-Enrollment Rules, and with the terms and conditions of this Consent Decree. With respect to the Lifeline Eligibility and De-Enrollment Rules, YourTel will implement, at a minimum, the following procedures:

* Operating Procedures. Within thirty (30) calendar days after the Effective Date, YourTel shall establish Operating Procedures that all Covered Employees must follow to help ensure YourTel's compliance with the Lifeline Eligibility and De-Enrollment Rules. YourTel's Operating Procedures shall include internal procedures and policies specifically designed to ensure that YourTel timely de-enrolls customers determined to be ineligible for the program, and avoids improperly claiming ineligible customers for Lifeline support. YourTel shall also develop a compliance checklist that describes the steps that a Covered Employee must follow to ensure compliance with the Lifeline Eligibility and De-Enrollment Rules. The Operating Procedures and compliance checklist shall include internal procedures and policies specifically designed to ensure compliance with the following requirements:

o Upon notification by USAC that a subscriber is receiving Lifeline service from another ETC or that more than one member of a subscriber's household is receiving Lifeline service and therefore that the subscriber should be de-enrolled from participation in YourTel's Lifeline program, YourTel must de-enroll the subscriber from program participation within five (5) business days pursuant to Section 54.405(e)(2).

o YourTel shall not claim Lifeline reimbursement for any subscriber identified by USAC to be de-enrolled pursuant to Section 54.405(e)(2) more than five (5) business days following USAC notification pursuant to that rule section.

o For purposes of the Form 497 claim process and prior to submitting a Form 497 claim for reimbursement following any subscriber de-enrollments performed pursuant to Section 54.405(e)(2): YourTel must confirm the specified ineligible subscribers are not included in any claim for reimbursement following the date of de-enrollment or more than five (5) business days following USAC notification; and YourTel will adopt procedures that provide for routine checks that such de-enrollments are timely performed, and describe these checks in its Compliance Reports.

o To the extent YourTel uses a Covered Third Party for verifying, maintaining, or updating subscriber information, providing records management and storage, or processing enrollments or de-enrollments, YourTel will establish oversight procedures, including regular compliance checks, to ensure compliance with the Lifeline Eligibility and De-Enrollment Rules and the terms of this Consent Decree. YourTel will describe these compliance checks in its Compliance Reports.

* Compliance Manual. Within sixty (60) calendar days after the Effective Date, YourTel shall develop, use, and maintain a Compliance Manual (which may be in hard copy and/or electronic format), and distribute the same to all Covered Employees and Covered Third Parties. For any person who becomes a Covered Employee or Covered Third Party more than sixty (60) calendar days after the Effective Date, YourTel shall distribute the Compliance Manual to that person within thirty (30) calendar days after the date such person becomes a Covered Employee or Covered Third Party, and prior to such person engaging with Customers with respect to YourTel's services. Within the same period, YourTel shall further direct all Covered Third Parties to disseminate a copy of the Compliance Manual to each Covered Third Party Employee.

o The Compliance Manual shall set forth and explain the requirements of the Lifeline Eligibility and De-Enrollment Rules and this Consent Decree, and shall instruct Covered Employees and Covered Third Party Employees to consult and follow the Operating Procedures to ensure YourTel's compliance with the Communications Laws and this Consent Decree.

o The Compliance Manual shall require Covered Employees and Covered Third Party Employees to contact their supervisor or the Compliance Officer with any questions or concerns that arise with respect to YourTel's obligations under or compliance with the Communications Laws and this Consent Decree, and require any supervisor who receives such information from a Covered Employee or Covered Third Party Employee to promptly notify the Compliance Officer.

o YourTel shall periodically review and revise the Compliance Manual to ensure that the information set forth therein remains current and complete.

o YourTel shall distribute any revisions of the Compliance Manual to all Covered Employees and Covered Third Parties within thirty (30) calendar days after any revisions have been made by YourTel. Like the Compliance Manual, these revisions may be in electronic format.

* Compliance Training Program for Lifeline Eligibility and De-Enrollment Rules. YourTel shall establish and implement a Compliance Training Program on compliance with the Lifeline Eligibility and De-Enrollment Rules and the Operating Procedures. As part of the Compliance Training Program, Covered Employees and Covered Third Parties shall be advised of YourTel's obligation to report any noncompliance with the Lifeline Eligibility and De-Enrollment Rules under paragraph 24 of this Consent Decree and shall be instructed on how to disclose noncompliance to the Compliance Officer. All Covered Employees and Covered Third Parties shall be trained pursuant to the Compliance Training Program within sixty (60) calendar days after the Effective Date, except that any person who becomes a Covered Employee or Covered Third Party at any time after the initial Compliance Training Program shall be trained within thirty (30) calendar days after the date such person becomes a Covered Employee or Covered Third Party. YourTel shall repeat compliance training on an annual basis, and shall periodically review and revise the Compliance Training Program as necessary to ensure that it remains current and complete and to enhance its effectiveness.

Reporting Noncompliance. Each of TerraCom and YourTel (collectively or individually) shall report any noncompliance with Sections 201(b) and 222(a)-(c) of the Act, the Commission's CPNI rules, the terms and conditions of this Consent Decree, and, for YourTel, the Lifeline Eligibility and De-Enrollment Rules, within fifteen (15) calendar days after discovery of such noncompliance. Such reports shall include a detailed explanation of: (i) each instance of noncompliance; (ii) the steps that each of TerraCom and YourTel have taken or will take to remedy such noncompliance; (iii) the schedule on which such remedial actions will be taken; and (iv) the steps that each of TerraCom and YourTel have taken or will take to prevent the recurrence of any such noncompliance. Each of TerraCom and YourTel shall also report any breaches of PI or CPNI as soon as practicable, but no later than seven (7) business days after reasonable determination of the breach. Such reports shall include, to the extent known, a detailed explanation of: (i) the nature of the breach; (ii) the date of the breach; (iii) the date of discovery of the breach; (iv) the type of PI or CPNI involved in the breach; (v) the number of individuals affected by the breach; and (vi) the steps that each of TerraCom and YourTel have taken or will take to remedy the breach and prevent its recurrence. All reports of noncompliance or PI/CPNI breaches shall be submitted to (1) the Chief, Telecommunications Consumers Division, Enforcement Bureau, Federal Communications Commission, 445 12th Street, SW, Rm. 4C-224, Washington, DC 20554, with a copy submitted electronically to David.Valdez@fcc.gov, Michael.Epshteyn@fcc.gov, and Shante.Willis@fcc.gov, and (2) the Chief, Investigations and Hearings Division, Federal Communications Commission, 445 12th Street., SW, Rm. 4-C224, Washington, DC 20554, with a copy submitted electronically to Jeffrey.Gee@fcc.gov, Kalun.Lee@fcc.gov, and Mindy.Littell@fcc.gov.

Compliance Reports. Each of TerraCom and YourTel shall file compliance reports with the Commission ninety (90) days after the Effective Date, six (6) months after the Effective Date, twelve (12) months after the Effective Date, twenty-four (24) months after the Effective Date, and thirty-six (36) months after the Effective Date.

* Each Compliance Report shall include a detailed description of TerraCom's and YourTel's efforts during the relevant period to comply with the terms and conditions of this Consent Decree and Sections 201(b) and 222(a) of the Act and, for YourTel, compliance with the Lifeline Eligibility and De-Enrollment Rules. In addition, each Compliance Report shall include a certification by the Compliance Officer, as an agent of and on behalf of each of TerraCom and YourTel, stating that the Compliance Officer has personal knowledge that TerraCom and YourTel: (i) have established and implemented the Compliance Plans required by paragraphs 22 and 23; (ii) have utilized the applicable Operating Procedures since the implementation of the Compliance Plans; and (iii) are not aware of any instances of noncompliance with the terms and conditions of this Consent Decree, including the reporting obligations set forth in paragraph 24 of this Consent Decree.

* The Compliance Officer's certification shall be accompanied by a statement explaining the basis for such certification and shall comply with Section 1.16 of the Rules and be subscribed to as true under penalty of perjury in substantially the form set forth therein.

* If the Compliance Officer cannot provide the requisite certification, the Compliance Officer, as an agent of and on behalf of each of TerraCom and YourTel, shall provide the Commission with a detailed explanation of the reason(s) why and describe fully: (i) each instance of noncompliance; (ii) the steps each of TerraCom and YourTel have taken or will take to remedy such noncompliance, including the schedule on which proposed remedial actions will be taken; and (iii) the steps that each of TerraCom and YourTel have taken or will take to prevent the recurrence of any such noncompliance, including the schedule on which such preventive action will be taken.

* Each Compliance Report shall also include a detailed description of any new or additional telecommunications companies owned, in whole or in part, by any of the present or past owners, shareholders, officers, or directors of TerraCom and YourTel. The Compliance Report shall also include a description of any additional telecommunications companies managed by the companies that manage TerraCom and YourTel.

Termination Date. Unless stated otherwise, the obligations set forth in paragraphs 22(f)-(j), 23, 24, and 25 of this Consent Decree shall expire thirty-six (36) months after the Effective Date. The obligations set forth in paragraph 21 shall remain in effect during the entire period that each of TerraCom and YourTel collects PI from or about Customers. The remaining obligations set forth in paragraph 22 shall expire eight (8) years after the Effective Date.

Section 208 Complaints; Subsequent Investigations. Nothing in this Consent Decree shall prevent the Commission or its delegated authority from adjudicating complaints filed pursuant to Section 208 of the Act against TerraCom, YourTel, or their Affiliates for alleged violations of the Act, or for any other type of alleged misconduct, regardless of when such misconduct took place. The Commission's adjudication of any such complaint will be based solely on the record developed in that proceeding. Except as expressly provided in this Consent Decree, this Consent Decree shall not prevent the Commission from investigating new evidence of noncompliance by TerraCom or YourTel with the Communications Laws.

Civil Penalty. TerraCom and YourTel shall pay a civil penalty to the United States Treasury in the amount of three million five hundred thousand dollars ($3,500,000), for which they are jointly and severally liable (Civil Penalty). TerraCom and YourTel each specifically consent to, the Commission's offset of the Civil Penalty against any USF support owed to TerraCom and/or YourTel until the Civil Penalty is paid in full. TerraCom and YourTel each agree that (i) the Commission, through the Bureau, may direct the USF administrator to effectuate the offset against all USF support owed to TerraCom and/or YourTel and to send all such USF support, to the U.S. Treasury and (ii) TerraCom and Yourtel will immediately send written affirmation to the USAC of their consent to offset until the Civil Penalty is paid in full. TerraCom and YourTel shall send electronic notification of payment to Johnny Drake, Telecommunications Consumers Division, Enforcement Bureau, Federal Communications Commission at Johnny.Drake@fcc.gov, and Mindy Littell, Investigations and Hearings Division, Federal Communications Commission at Mindy.Littell@fcc.gov, on the date said payment is made. The payment must be made by check or similar instrument, wire transfer, or credit card, and must include the NAL Account Number and FRN referenced above. Regardless of the form of payment, a completed FCC Form 159 (Remittance Advice) must be submitted. When completing the FCC Form 159, enter the NAL Account Number in block number 23A (call sign/other ID) and enter the letters "FORF" in block number 24A (payment type code). Below are additional instructions that should be followed based on the form of payment selected:

* Payment by check or money order must be made payable to the order of the Federal Communications Commission. Such payments (along with the completed Form 159) must be mailed to Federal Communications Commission, P.O. Box 979088, St. Louis, MO 63197-9000, or sent via overnight mail to U.S. Bank - Government Lockbox #979088, SL-MO-C2-GL, 1005 Convention Plaza, St. Louis, MO 63101.

* Payment by wire transfer must be made to ABA Number 021030004, receiving bank TREAS/NYC, and Account Number 27000001. To complete the wire transfer and ensure appropriate crediting of the wired funds, a completed Form 159 must be faxed to U.S. Bank at (314) 418-4232 on the same business day the wire transfer is initiated.

* Payment by credit card must be made by providing the required credit card information on FCC Form 159 and signing and dating the Form 159 to authorize the credit card payment. The completed Form 159 must then be mailed to Federal Communications Commission, P.O. Box 979088, St. Louis, MO 63197-9000, or sent via overnight mail to U.S. Bank - Government Lockbox #979088, SL-MO-C2-GL, 1005 Convention Plaza, St. Louis, MO 63101.

Questions regarding payment procedures should be addressed to the Financial Operations Group Help Desk by phone, 1-877-480-3201, or by e-mail, ARINQUIRIES@fcc.gov.

Waivers. As of the Effective Date, TerraCom and YourTel each waive any and all rights they may have to seek administrative or judicial reconsideration, review, appeal or stay, or to otherwise challenge or contest the validity of this Consent Decree and the Adopting Order. TerraCom and YourTel shall retain the right to challenge Commission interpretation of the Consent Decree or any terms contained herein. If either Party (or the United States on behalf of the Commission) brings a judicial action to enforce the terms of the Consent Decree or the Adopting Order, neither TerraCom, YourTel, nor the Commission shall contest the validity of the Consent Decree or the Adopting Order, and TerraCom and YourTel each shall waive any statutory right to a trial de novo. TerraCom and YourTel each hereby agree to waive any claims they may otherwise have under the Equal Access to Justice Act relating to the matters addressed in this Consent Decree.

Severability. The Parties agree that if any of the provisions of the Consent Decree shall be held unenforceable by any court of competent jurisdiction, such unenforceability shall not render unenforceable the entire Consent Decree, but rather the entire Consent Decree shall be construed as if not containing the particular unenforceable provision or provisions, and the rights and obligations of the Parties shall be construed and enforced accordingly.

Invalidity. In the event that this Consent Decree in its entirety is rendered invalid by any court of competent jurisdiction, it shall become null and void and may not be used in any manner in any legal proceeding.

Subsequent Rule or Order. The Parties agree that if any provision of the Consent Decree conflicts with any subsequent Rule or Order adopted by the Commission (except an Order specifically intended to revise the terms of this Consent Decree to which TerraCom or YourTel, as applicable, do not expressly consent) that provision will be superseded by such Rule or Order.

Successors and Assigns. TerraCom and YourTel each agree that the provisions of this Consent Decree shall be binding on their successors, assigns, and transferees.

Final Settlement. The Parties agree and acknowledge that this Consent Decree shall constitute a final settlement between the Parties with respect to the Investigation.

Modifications. This Consent Decree cannot be modified without the advance written consent of all Parties.

Paragraph Headings. The headings of the paragraphs in this Consent Decree are inserted for convenience only and are not intended to affect the meaning or interpretation of this Consent Decree.

Authorized Representative. Each Party represents and warrants to the other that it has full power and authority to enter into this Consent Decree. Each person signing this Consent Decree on behalf of a Party hereby represents that he or she is fully authorized by the Party to execute this Consent Decree and to bind the Party to its terms and conditions.

Counterparts. This Consent Decree may be signed in counterpart (including electronically or by facsimile). Each counterpart, when executed and delivered, shall be an original, and all of the counterparts together shall constitute one and the same fully executed instrument.